Recognition of the importance of threat intelligence has been building for years. But it has taken center stage as the acceleration of digital transformation and the shift to hybrid work models have expanded the attack surface, and geopolitical events have raised the stakes for defenders to protect critical infrastructure and sensitive data. Government leaders are pointing to threat intelligence sharing and best practices as key components that have helped strengthen cybersecurity and mitigate the impact of cyberwarfare.
Recent surveys corroborate the value organizations place on threat intelligence, but also reveal challenges in making threat intelligence actionable. Based on discussions with 1,350 business and IT leaders, Mandiant’s Global Perspectives on Threat Intelligence report (PDF) finds that while nearly all (96%) respondents are satisfied with the quality of their threat intelligence, 47% struggle to apply threat intel throughout the security organization and 70% say at least a majority of the time they make decisions without adversary insights.
Automation can help make threat intelligence actionable. But making threat intelligence actionable requires more than automation; it also requires contextualization and prioritization, so that you are automating and taking action on the right data at the right time. To understand this better, let’s dig deeper into what respondents to the CRA study cite as their top use case for threat intelligence: vulnerability management.
The number of Common Vulnerabilities and Exposures (CVEs) climbed to 25,227 in 2022. However, at any given time only a small fraction of existing vulnerabilities is actively exploited or exploitable. And for any given organization, only a fraction of those vulnerabilities is utilized by threat actors and campaigns that may target that organization. So, how do you know what to focus on for your organization?
Imagine a Venn diagram where vulnerability management is one circle and intelligence from both internal and external sources for context is a second circle. The area of overlap is your area of risk and where you can prioritize vulnerabilities based on that context. It logically follows that you can also use context to prioritize mitigation, so you can optimize vulnerability management workflows and achieve the best outcomes for your organization.
In this case, context comes from information about the number of assets that are vulnerable, their criticality to the organization, if they are protected, if the vulnerability is being actively exploited, if threat actors are targeting your specific industry or region, and if indicators of compromise (IoCs) have been seen in your environment. These elements help you understand the likelihood of the vulnerability being exploited in your environment. External data on CVEs, indicators, adversaries and their methods, helps you understand the consequences of a vulnerability. When you aggregate and correlate internal context with external threat intelligence, you can prioritize vulnerabilities automatically based on parameters you set so the organization can take the right actions at the right time.
For example, you might determine that a vulnerability needs to be addressed immediately because there are sightings of IoCs in your environment and the vulnerability is known to be actively exploited by threat actors targeting your specific industry or region. Or you may find that the vulnerability is not relevant to your industry and therefore less of a priority, but you still may decide to patch based on your risk profile. Or you may find the vulnerability is not being actively exploited so it doesn’t make sense to patch it now or initiate compensating controls, although you may continue to watch it.
In the absence of context, you could be patching vulnerabilities that are not being exploited actively, are low in priority or, even worse, patching something that negatively impacts operations. Threat intelligence can only be actionable with context and automation. And when used in combination will enable you to apply threat intelligence to achieve the best outcome for your organization. In this case, a shrinking list of vulnerable assets and a stronger secure posture, faster.
Related: Removing the Barriers to Security Automation Implementation
